Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access Rootkit


  • This topic is locked This topic is locked
30 replies to this topic

#1 lchageman

lchageman

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 11 February 2012 - 02:53 PM

Hi,
I was being helped in the other forum to diagnose leftover infection from System Check malware after using the System Check Removal Guide (Persistent Google Redirects). Ran TDSS Killer, GMER and aswMBR as directed and posted the logs after which was referred here:

You're infected with zero access rootkit which needs advanced tools

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck
This post has been edited by narenxp: Today, 12:23 AM


Posting today's DDS text Log and attaching the associated DDS attach log and also the GMER log from the earlier forum . The GMER scan I ran included some of the things that are asked to uncheck in this forum guide. Please let me know if i need to run a new scan with the specified parameters (GMER took a really, really long time to run on my computer-had to leave it overnight).
Thank you!!!!
____________


.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Christine Hageman at 11:26:26 on 2012-02-11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.544 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgcsrvx.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Soluto\SolutoService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Soluto\soluto.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Multimedia Card Reader 6361\shwicon2k.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Temp\_ex-68.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Yahoo!\Common\YMailAdvisor.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\DellSupport\brkrsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Yahoo!\Companion\Installs\cpn9\ytbb.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

uWindow Title = Windows Internet Explorer provided by Yahoo!

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn9\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn9\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn9\yt.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [QAGENT] c:\quickenw\QAGENT.EXE

uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [RepairSolutions] "c:\program files\repairsolutions\RepairSolutions.exe"

uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SearchToolbar 1.2; GTB7.0; Windows-Media-Player/10.00.00.3990; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; yie8)" -"http://www.nabiscoworld.com/Games/game_large.aspx?gameid=10036"

mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [Sunkist2k] c:\program files\multimedia card reader 6361\shwicon2k.exe

mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [MozillaAgent] c:\windows\temp\_ex-68.exe

StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-explorer: <NO NAME> =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

LSP: mswsock.dll

Trusted Zone: intuit.com\ttlc

Trusted Zone: plaxo.com\www

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office2010.microsoft.com/sites/production/ieawsdc32.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/61.12/uploader2.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://kattracker-portal.ads.k-state.edu/media/VisitorChat/TLIEFlash.CAB

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9CD9EC25-90F4-45FD-97CA-FCA1FE38E242} : DhcpNameServer = 192.168.1.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

============= SERVICES / DRIVERS ===============

.

R0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [2011-10-19 51144]

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2004-1-7 4064]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-24 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-24 29712]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-24 243152]

R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2004-6-11 6144]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-3 116608]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]

R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2011-10-18 456736]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-15 909152]

R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-2-9 50704]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2007-8-25 211816]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2009-5-18 51040]

S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2009-5-18 6064]

S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2009-5-18 82640]

S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2009-5-18 64096]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]

S3 HPCFILT6;Alcor Micro Corp - 6361;c:\windows\system32\drivers\HPCfilt6.sys [2005-1-14 29592]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2004-1-8 15576]

.

=============== Created Last 30 ================

.

2012-02-10 00:22:16 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2012-02-10 00:22:16 281104 ----a-w- c:\windows\system32\wpcap.dll

2012-02-10 00:22:16 100880 ----a-w- c:\windows\system32\Packet.dll

2012-02-08 21:42:39 -------- d-----w- c:\program files\common files\xing shared

2012-02-08 19:23:06 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-02-08 19:13:53 -------- d-----w- c:\documents and settings\christine hageman\local settings\application data\Secunia PSI

2012-02-08 19:13:29 -------- d-----w- c:\program files\Secunia

2012-02-08 05:11:31 -------- d-----w- C:\TDSSKiller_Quarantine

2012-02-07 23:05:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-01-15 15:23:34 -------- d-----w- c:\windows\system32\cache

.

==================== Find3M ====================

.

2012-02-10 00:10:20 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2012-02-08 19:25:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-08 19:22:40 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys

2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe

2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll

2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll

.

============= FINISH: 11:29:04.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 11 February 2012 - 07:27 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System” (If found - select delete)
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 11 February 2012 - 11:01 PM

Hi Combofix detected rootkit activity and wanted to reboot so I did that, but now I lost my keyboard and mouse, so I can't log back into Windows.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 10:34 AM

I'll have to get a mod to delete them, do you have access to a USB keyboard and mouse, it would appear the infection was in the keyboard and mouse driver, that is not uncommon.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 01:27 PM

I don't have a usb mouse or keyboard. My keyboard is wired. My mouse is wireless with a USB connected base. I have an extra mouse with the old type of connection for the back of the computer (next to the keyboard connection).

Edited by lchageman, 12 February 2012 - 01:42 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 01:30 PM

yes, a wireless mouse connects via usb


we have lost the i8042prt.sys file that we need to replace

there will probably be one in the i386 folder that we can expand and replace, but you need to be able to get in first

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 01:32 PM

sorry,

you edited your post before I posted, I thought you had access to a USB mouse

do you know anyone that you can borrow one from?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 05:34 PM

ok I picked up a mouse from Radio Shack. ComboFix finished running, rebooted and created a log, but I don't have the keyboard. What do I do now?

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 05:49 PM

you should be able to enable the on screen keyboard with the mouse (if that will work > not sure if it uses the same driver)


click your way to Start > All Programs > Accessories > Accessibility > on screen keyboard you should be able to work that keyboard with the mouse

now we need to find a replacement for i8042prt.sys


Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *i8042prt*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


also copy/paste the content of the ComboFix log to see if any other files are missing

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 06:31 PM

Here is the Systemlook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 18:25 on 12/02/2012 by Christine Hageman
Administrator - Elevation successful

========== filefind ==========

Searching for "*i8042prt*"
C:\cmdcons\I8042PRT.SY_ --a---- 26025 bytes [04:14 04/08/2004] [04:14 04/08/2004] 819D427AB9DBE6AC2960A585087CB766
C:\I386\I8042PRT.SYS --a--c- 51072 bytes [01:35 05/01/2004] [11:00 29/08/2002] 7080F46568108CC6EA73E460EE6EE702
C:\WINDOWS\$NtServicePackUninstall$\i8042prt.sys -----c- 52736 bytes [14:35 20/08/2008] [06:14 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808
C:\WINDOWS\ServicePackFiles\i386\i8042prt.sys ------- 52480 bytes [06:14 04/08/2004] [19:18 13/04/2008] 4A0B06AA8943C1E332520F7440C0AA30
C:\WINDOWS\SYSTEM32\DRIVERS\i8042prt.sys --a---- 52480 bytes [11:00 29/08/2002] [19:18 13/04/2008] 4A0B06AA8943C1E332520F7440C0AA30

-= EOF =-

Here is the combofix log:

ComboFix 12-02-11.03 - Christine Hageman 02/12/2012 16:09:07.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1549 [GMT -5:00]
Running from: c:\documents and settings\Christine Hageman\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~X8YGf2YIROsUKh
c:\documents and settings\All Users\Application Data\~X8YGf2YIROsUKhr
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\20100602221512.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\All Users\Application Data\X8YGf2YIROsUKh
c:\documents and settings\Christine Hageman\My Documents\~WRD0003.tmp
c:\documents and settings\Christine Hageman\My Documents\~WRL2212.tmp
c:\documents and settings\Christine Hageman\Start Menu\Programs\System Check
c:\documents and settings\Christine Hageman\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Christine Hageman\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Christine Hageman\WINDOWS
c:\documents and settings\Jeannie Hageman\WINDOWS
c:\documents and settings\Kellie Hageman\WINDOWS
c:\documents and settings\Larry Hageman\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB19369$\2669687673
c:\windows\$NtUninstallKB19369$\3441067699\@
c:\windows\$NtUninstallKB19369$\3441067699\cfg.ini
c:\windows\$NtUninstallKB19369$\3441067699\Desktop.ini
c:\windows\$NtUninstallKB19369$\3441067699\L\asobptkf
c:\windows\$NtUninstallKB19369$\3441067699\U\00000001.@
c:\windows\$NtUninstallKB19369$\3441067699\U\00000002.@
c:\windows\$NtUninstallKB19369$\3441067699\U\00000004.@
c:\windows\$NtUninstallKB19369$\3441067699\U\80000000.@
c:\windows\$NtUninstallKB19369$\3441067699\U\80000004.@
c:\windows\$NtUninstallKB19369$\3441067699\U\80000032.@
c:\windows\$NtUninstallKB19369$\3441067699\version
c:\windows\Bc04002.exe
c:\windows\bwUnin-6.1.4.68-8876480L.exe
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
c:\windows\system32\adpu160m.dll
c:\windows\system32\aswtdi.dll
c:\windows\system32\avidsdmservice.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6df891d0a099e1ba.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\CSDriver.dll
c:\windows\system32\icm10blk.dll
c:\windows\system32\mcredirector.dll
c:\windows\system32\mpfservice.dll
c:\windows\system32\nwrdr.dll
c:\windows\system32\oracleorahome811cman.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pccsmcfd.dll
c:\windows\system32\pivot.dll
c:\windows\system32\rasacd.dll
c:\windows\system32\SaiNtBus.dll
c:\windows\system32\sandradatasrv.dll
c:\windows\system32\SE2Bobex.dll
c:\windows\system32\se59mgmt.dll
c:\windows\system32\smapint.dll
c:\windows\system32\SNC.dll
c:\windows\system32\sr.dll
c:\windows\system32\st330service.dll
c:\windows\system32\SymIM.dll
c:\windows\system32\trioservice.dll
c:\windows\system32\tvtfilter.dll
c:\windows\system32\UsbDiag.dll
c:\windows\system32\vpctcom.dll
c:\windows\system32\w800mdfl.dll
c:\windows\system32\wg3n.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\ws2ifsl.dll
c:\windows\Temp\_ex-08.exe
c:\windows\Temp\_ex-68.exe
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Legacy_USNJSVC
-------\Service_6to4
-------\Service_NPF
-------\Service_usnjsvc
-------\Legacy_DevUpper
-------\Service_DevUpper
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 21:36 . 2009-12-22 18:39 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-12 21:36 . 2009-12-22 18:39 62592 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-12 21:07 . 2012-02-12 21:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\RealNetworks
2012-02-12 17:50 . 2012-02-12 17:50 53248 ----a-w- c:\windows\system32\6to4v32.dll
2012-02-12 17:50 . 2012-02-12 17:50 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-02-12 17:50 . 2012-02-12 17:50 156672 ----a-w- c:\windows\system32\NCUSBw32.dll
2012-02-12 03:22 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-12 03:22 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-02-10 00:22 . 2012-02-10 00:22 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-02-08 21:53 . 2012-02-08 21:53 -------- d-----w- c:\program files\Common Files\Skype
2012-02-08 21:42 . 2012-02-08 21:42 -------- d-----w- c:\program files\Common Files\xing shared
2012-02-08 19:23 . 2012-02-08 19:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-08 19:13 . 2012-02-08 19:13 -------- d-----w- c:\documents and settings\Christine Hageman\Local Settings\Application Data\Secunia PSI
2012-02-08 19:13 . 2012-02-08 19:13 -------- d-----w- c:\program files\Secunia
2012-02-08 05:11 . 2012-02-12 02:49 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-08 02:25 . 2012-02-08 02:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-02-08 00:28 . 2012-02-08 00:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-02-07 23:05 . 2012-02-12 20:13 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-12 02:51 . 2002-08-29 11:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-10 00:10 . 2002-08-29 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-08 19:25 . 2011-05-17 10:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-08 19:22 . 2010-06-03 22:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-25 21:57 . 2002-08-29 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2002-08-29 11:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2002-08-29 11:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-10-19 00:46 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2002-08-29 11:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-15 15:23 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-15 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-09-29 13:50 3546904 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-09-29 13:50 3546904 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"QAGENT"="c:\quickenw\QAGENT.EXE" [2000-04-28 41472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-03 4617600]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-01 17146504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 35328]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Sunkist2k"="c:\program files\Multimedia Card Reader 6361\shwicon2k.exe" [2005-01-13 135168]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-03 270336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-01-15 939872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-15 928096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-02-08 296056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
.
c:\documents and settings\Larry Hageman\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [2004-1-7 325632]
.
c:\documents and settings\Christine Hageman\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2011-9-29 3709208]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\program files\Soluto\soluto.exe /userinit"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 17:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:23 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
2012-02-12 17:50 37888 ----a-w- c:\windows\SYSTEM32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
2012-02-12 17:50 37888 ----a-w- c:\windows\SYSTEM32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Christine Hageman^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Christine Hageman\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 06:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Soluto;Soluto;c:\windows\SYSTEM32\DRIVERS\Soluto.sys [10/19/2011 5:44 AM 51144]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [1/7/2004 9:58 PM 4064]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [12/24/2008 11:35 AM 243152]
R1 crlscsi;crlscsi;c:\windows\SYSTEM32\DRIVERS\crlscsi.sys [6/11/2004 5:52 PM 6144]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/3/2010 10:43 AM 116608]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:23 AM 308136]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]
R2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/29/2002 6:00 AM 14336]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [10/18/2011 9:02 PM 456736]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/15/2012 10:23 AM 909152]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2009 12:07 PM 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\cur_bus.sys [5/18/2009 5:51 PM 51040]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\SYSTEM32\DRIVERS\cur_mdfl.sys [5/18/2009 5:53 PM 6064]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\SYSTEM32\DRIVERS\cur_mdm.sys [5/18/2009 5:53 PM 82640]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\SYSTEM32\DRIVERS\cur_serd.sys [5/18/2009 5:57 PM 64096]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2009 12:07 PM 133104]
S3 HPCFILT6;Alcor Micro Corp - 6361;\??\c:\windows\System32\Drivers\HpcFilt6.sys --> c:\windows\System32\Drivers\HpcFilt6.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [1/8/2004 9:49 PM 15576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
irsir
Gernuwa
DcLps
se59bus
whoisd32
L1e
s217nd5
pctoolsfirewallplus
cygserver
DLARTL_M
clmtomcatstartersvc
p1131vid
wap3gx
nmwcdcj
CVirtA
x10nets
nimcdldu
TPPWRIF
ofcpfwsvc
odysseyIM3
Subsonic
webrootenterpriseupdateservice
tap0901
nvgts
HFACSVC
c34nb4c5
statusagent
nidomainservice
DevUpper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 17:09]
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-04 17:07]
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-04 17:07]
.
2012-02-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-511949123-2873604523-167704151-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-02-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-511949123-2873604523-167704151-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-02-12 c:\windows\Tasks\User_Feed_Synchronization-{382BFBB6-C21C-42CB-A9D8-7532AEF55EAE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: plaxo.com\www
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-RepairSolutions - c:\program files\RepairSolutions\RepairSolutions.exe
SafeBoot-43893115.sys
SafeBoot-66889576.sys
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
AddRemove-LinksLS99DeinstKey - c:\program files\LinksLS99\DeIsL1.isu
AddRemove-SpecOps - c:\program files\Zombie VR Studios\SpecOps\unSpec.isu
AddRemove-The Operational Art of War, Vol. I - c:\program files\TalonSoft\TOAW\Uninst.isu
AddRemove-{E7269FD6-34EA-4617-8752-6739AA384080} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{E7269~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-12 17:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB19369$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\USB3Sw32.dll
.
- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\ASOEHOOK.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\MozyHome\mozyshell.dll
c:\program files\MozyHome\LIBEAY32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2012-02-12 17:21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 22:20
.
Pre-Run: 18,499,874,816 bytes free
Post-Run: 22,022,012,928 bytes free
.
- - End Of File - - 8CA05F01E757055D6498A2077AEFDFCF




#11 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 06:43 PM

Here is the tdsskiller log:

21:47:14.0765 4220 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57

21:47:15.0140 4220 ============================================================

21:47:15.0140 4220 Current date / time: 2012/02/11 21:47:15.0140

21:47:15.0140 4220 SystemInfo:

21:47:15.0140 4220

21:47:15.0140 4220 OS Version: 5.1.2600 ServicePack: 3.0

21:47:15.0140 4220 Product type: Workstation

21:47:15.0140 4220 ComputerName: MAIN

21:47:15.0140 4220 UserName: Christine Hageman

21:47:15.0140 4220 Windows directory: C:\WINDOWS

21:47:15.0140 4220 System windows directory: C:\WINDOWS

21:47:15.0140 4220 Processor architecture: Intel x86

21:47:15.0140 4220 Number of processors: 1

21:47:15.0140 4220 Page size: 0x1000

21:47:15.0140 4220 Boot type: Normal boot

21:47:15.0140 4220 ============================================================

21:47:21.0906 4220 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

21:47:21.0906 4220 \Device\Harddisk0\DR0:

21:47:21.0906 4220 MBR used

21:47:21.0906 4220 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x94EAFF8

21:47:22.0015 4220 Initialize success

21:47:22.0015 4220 ============================================================

21:47:46.0078 7532 ============================================================

21:47:46.0078 7532 Scan started

21:47:46.0078 7532 Mode: Manual; TDLFS;

21:47:46.0078 7532 ============================================================

21:47:47.0390 7532 Abiosdsk - ok

21:47:47.0484 7532 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

21:47:47.0484 7532 abp480n5 - ok

21:47:47.0625 7532 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

21:47:47.0640 7532 ACPI - ok

21:47:47.0796 7532 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

21:47:47.0796 7532 ACPIEC - ok

21:47:47.0968 7532 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

21:47:47.0968 7532 adpu160m - ok

21:47:48.0187 7532 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

21:47:48.0187 7532 aeaudio - ok

21:47:48.0359 7532 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

21:47:48.0375 7532 aec - ok

21:47:48.0562 7532 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

21:47:48.0562 7532 AFD - ok

21:47:48.0734 7532 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys

21:47:48.0734 7532 agp440 - ok

21:47:48.0906 7532 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

21:47:48.0906 7532 agpCPQ - ok

21:47:49.0046 7532 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

21:47:49.0046 7532 Aha154x - ok

21:47:49.0234 7532 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

21:47:49.0234 7532 aic78u2 - ok

21:47:49.0343 7532 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

21:47:49.0343 7532 aic78xx - ok

21:47:49.0593 7532 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

21:47:49.0593 7532 AliIde - ok

21:47:49.0718 7532 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

21:47:49.0718 7532 alim1541 - ok

21:47:49.0921 7532 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

21:47:49.0921 7532 amdagp - ok

21:47:50.0031 7532 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

21:47:50.0031 7532 amsint - ok

21:47:50.0203 7532 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

21:47:50.0203 7532 asc - ok

21:47:50.0406 7532 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

21:47:50.0406 7532 asc3350p - ok

21:47:50.0578 7532 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

21:47:50.0578 7532 asc3550 - ok

21:47:50.0765 7532 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

21:47:50.0765 7532 AsyncMac - ok

21:47:50.0875 7532 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

21:47:50.0875 7532 atapi - ok

21:47:51.0031 7532 Atdisk - ok

21:47:51.0156 7532 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

21:47:51.0156 7532 Atmarpc - ok

21:47:51.0359 7532 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys

21:47:51.0359 7532 ATMhelpr - ok

21:47:51.0546 7532 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

21:47:51.0546 7532 audstub - ok

21:47:51.0671 7532 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys

21:47:51.0671 7532 AvgLdx86 - ok

21:47:51.0843 7532 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\WINDOWS\System32\Drivers\avgmfx86.sys

21:47:51.0843 7532 AvgMfx86 - ok

21:47:51.0968 7532 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\System32\Drivers\avgtdix.sys

21:47:52.0000 7532 AvgTdiX - ok

21:47:52.0250 7532 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys

21:47:52.0312 7532 BCMModem - ok

21:47:52.0500 7532 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

21:47:52.0500 7532 Beep - ok

21:47:52.0593 7532 BlueletAudio (534b95fbd867d0512dcb43e6cc1aa91e) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys

21:47:52.0609 7532 BlueletAudio - ok

21:47:52.0781 7532 BlueletSCOAudio (01d1832f2b13dfaf7384884f7c3e0124) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys

21:47:52.0781 7532 BlueletSCOAudio - ok

21:47:53.0000 7532 BT (d1813668a0117ae05bc0b81c874f91d4) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys

21:47:53.0000 7532 BT - ok

21:47:53.0140 7532 Btcsrusb (f7ff961f1b8bd229f94f648889a87b94) C:\WINDOWS\system32\Drivers\btcusb.sys

21:47:53.0140 7532 Btcsrusb - ok

21:47:53.0281 7532 BTHidEnum (e69d9e7854095a9c81acee40d766fe2d) C:\WINDOWS\system32\DRIVERS\vbtenum.sys

21:47:53.0281 7532 BTHidEnum - ok

21:47:53.0359 7532 BTHidMgr (a9164c2a39bd917b9f42ae087560ac3d) C:\WINDOWS\system32\Drivers\BTHidMgr.sys

21:47:53.0359 7532 BTHidMgr - ok

21:47:53.0484 7532 BTNetFilter (6b05fdc0cfc3753b520d2d4176cc32d0) C:\WINDOWS\system32\drivers\BTNetFilter.sys

21:47:53.0484 7532 BTNetFilter - ok

21:47:53.0562 7532 bvrp_pci - ok

21:47:53.0671 7532 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

21:47:53.0671 7532 cbidf - ok

21:47:53.0765 7532 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

21:47:53.0765 7532 cbidf2k - ok

21:47:53.0875 7532 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

21:47:53.0890 7532 CCDECODE - ok

21:47:54.0031 7532 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

21:47:54.0031 7532 cd20xrnt - ok

21:47:54.0140 7532 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

21:47:54.0140 7532 Cdaudio - ok

21:47:54.0234 7532 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

21:47:54.0234 7532 Cdfs - ok

21:47:54.0375 7532 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys

21:47:54.0390 7532 Cdralw2k - ok

21:47:54.0515 7532 Changer - ok

21:47:54.0703 7532 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

21:47:54.0703 7532 CmdIde - ok

21:47:54.0828 7532 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

21:47:54.0828 7532 Cpqarray - ok

21:47:54.0984 7532 crlscsi (e08ac114b931dacafbdd9d5e0b93815c) C:\WINDOWS\system32\drivers\crlscsi.sys

21:47:54.0984 7532 crlscsi - ok

21:47:55.0171 7532 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

21:47:55.0171 7532 ctsfm2k - ok

21:47:55.0328 7532 cur_bus (ddb3368425f9f08c17de41b3415e89b2) C:\WINDOWS\system32\DRIVERS\cur_bus.sys

21:47:55.0328 7532 cur_bus - ok

21:47:55.0546 7532 cur_mdfl (3a38d5212b0b7e4c8644eb79e7d9fd8f) C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys

21:47:55.0546 7532 cur_mdfl - ok

21:47:55.0687 7532 cur_mdm (c74b1d66fb0e970385fa8468bcfa9ac5) C:\WINDOWS\system32\DRIVERS\cur_mdm.sys

21:47:55.0687 7532 cur_mdm - ok

21:47:55.0843 7532 cur_serd (a330f4449ad54b4905a9f6adecd585e1) C:\WINDOWS\system32\DRIVERS\cur_serd.sys

21:47:55.0843 7532 cur_serd - ok

21:47:56.0187 7532 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

21:47:56.0187 7532 dac2w2k - ok

21:47:56.0421 7532 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

21:47:56.0421 7532 dac960nt - ok

21:47:56.0640 7532 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

21:47:56.0640 7532 Disk - ok

21:47:56.0875 7532 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

21:47:56.0921 7532 dmboot - ok

21:47:57.0125 7532 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

21:47:57.0125 7532 dmio - ok

21:47:57.0312 7532 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

21:47:57.0312 7532 dmload - ok

21:47:57.0500 7532 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

21:47:57.0500 7532 DMusic - ok

21:47:57.0703 7532 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

21:47:57.0703 7532 dpti2o - ok

21:47:57.0828 7532 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

21:47:57.0843 7532 drmkaud - ok

21:47:57.0984 7532 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

21:47:58.0015 7532 DSproct - ok

21:47:58.0203 7532 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

21:47:58.0203 7532 dsunidrv - ok

21:47:58.0312 7532 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys

21:47:58.0328 7532 E100B - ok

21:47:58.0515 7532 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

21:47:58.0515 7532 EL90XBC - ok

21:47:58.0640 7532 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

21:47:58.0656 7532 Fastfat - ok

21:47:58.0828 7532 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

21:47:58.0828 7532 Fdc - ok

21:47:58.0984 7532 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

21:47:58.0984 7532 Fips - ok

21:47:59.0171 7532 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

21:47:59.0171 7532 Flpydisk - ok

21:47:59.0265 7532 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

21:47:59.0265 7532 FltMgr - ok

21:47:59.0375 7532 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

21:47:59.0375 7532 Fs_Rec - ok

21:47:59.0484 7532 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

21:47:59.0484 7532 Ftdisk - ok

21:47:59.0609 7532 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

21:47:59.0609 7532 gameenum - ok

21:47:59.0796 7532 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

21:47:59.0796 7532 GEARAspiWDM - ok

21:47:59.0968 7532 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

21:47:59.0968 7532 Gpc - ok

21:48:00.0203 7532 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

21:48:00.0203 7532 HidUsb - ok

21:48:00.0359 7532 HPCFILT6 (db892e31bbee7f4a975ffda8d3d68a2c) C:\WINDOWS\System32\Drivers\HpcFilt6.sys

21:48:00.0375 7532 HPCFILT6 - ok

21:48:00.0546 7532 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

21:48:00.0546 7532 hpn - ok

21:48:00.0718 7532 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

21:48:00.0718 7532 HTTP - ok

21:48:00.0828 7532 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

21:48:00.0828 7532 i2omgmt - ok

21:48:01.0078 7532 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

21:48:01.0078 7532 i2omp - ok

21:48:01.0265 7532 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

21:48:01.0265 7532 i8042prt - ok

21:48:01.0406 7532 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

21:48:01.0406 7532 i81x - ok

21:48:01.0625 7532 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

21:48:01.0625 7532 iAimFP0 - ok

21:48:01.0828 7532 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

21:48:01.0828 7532 iAimFP1 - ok

21:48:02.0015 7532 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

21:48:02.0015 7532 iAimFP2 - ok

21:48:02.0203 7532 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

21:48:02.0218 7532 iAimFP3 - ok

21:48:02.0375 7532 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

21:48:02.0375 7532 iAimFP4 - ok

21:48:02.0500 7532 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

21:48:02.0500 7532 iAimTV0 - ok

21:48:02.0750 7532 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

21:48:02.0750 7532 iAimTV1 - ok

21:48:02.0906 7532 iAimTV2 - ok

21:48:03.0031 7532 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

21:48:03.0031 7532 iAimTV3 - ok

21:48:03.0250 7532 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

21:48:03.0250 7532 iAimTV4 - ok

21:48:03.0406 7532 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

21:48:03.0406 7532 Imapi - ok

21:48:03.0625 7532 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

21:48:03.0625 7532 ini910u - ok

21:48:03.0828 7532 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

21:48:03.0828 7532 IntelIde - ok

21:48:04.0062 7532 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

21:48:04.0078 7532 intelppm - ok

21:48:04.0265 7532 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

21:48:04.0265 7532 ip6fw - ok

21:48:04.0390 7532 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

21:48:04.0390 7532 IpFilterDriver - ok

21:48:04.0578 7532 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

21:48:04.0578 7532 IpInIp - ok

21:48:04.0671 7532 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

21:48:04.0671 7532 IpNat - ok

21:48:04.0828 7532 IPSec (19dd19fb992d6bf67811913b6feae577) C:\WINDOWS\system32\DRIVERS\ipsec.sys

21:48:04.0875 7532 IPSec ( Virus.Win32.ZAccess.c ) - infected

21:48:04.0875 7532 IPSec - detected Virus.Win32.ZAccess.c (0)

21:48:05.0265 7532 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

21:48:05.0281 7532 IRENUM - ok

21:48:05.0437 7532 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

21:48:05.0437 7532 isapnp - ok

21:48:05.0828 7532 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

21:48:05.0828 7532 Kbdclass - ok

21:48:05.0937 7532 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

21:48:05.0937 7532 kmixer - ok

21:48:06.0109 7532 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

21:48:06.0109 7532 KSecDD - ok

21:48:06.0265 7532 lbrtfdc - ok

21:48:06.0406 7532 LHidFlt2 (e8e25edb0d3ab0bc459405bcaf824fdf) C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys

21:48:06.0406 7532 LHidFlt2 - ok

21:48:06.0546 7532 LHidUsb (ff683c656ac51e28afe5ccb53a4bd247) C:\WINDOWS\system32\drivers\LHidUsb.Sys

21:48:06.0562 7532 LHidUsb - ok

21:48:06.0671 7532 LKbdFlt2 (18e48e9d5683860773a078c7c3837daf) C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys

21:48:06.0671 7532 LKbdFlt2 - ok

21:48:06.0781 7532 LMouFlt2 (d1d5f7cbecef5c0c9f019b0c534be289) C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys

21:48:06.0796 7532 LMouFlt2 - ok

21:48:06.0984 7532 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

21:48:06.0984 7532 mnmdd - ok

21:48:07.0156 7532 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

21:48:07.0156 7532 Modem - ok

21:48:07.0343 7532 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

21:48:07.0343 7532 MODEMCSA - ok

21:48:07.0500 7532 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

21:48:07.0515 7532 Mouclass - ok

21:48:07.0671 7532 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

21:48:07.0671 7532 mouhid - ok

21:48:07.0843 7532 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

21:48:07.0843 7532 MountMgr - ok

21:48:08.0015 7532 mozyFilter (31dfc6f8efaec37e7e863002c63f0dbe) C:\WINDOWS\system32\DRIVERS\mozy.sys

21:48:08.0031 7532 mozyFilter - ok

21:48:08.0171 7532 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

21:48:08.0171 7532 mraid35x - ok

21:48:08.0343 7532 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

21:48:08.0343 7532 MRxDAV - ok

21:48:08.0515 7532 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

21:48:08.0578 7532 MRxSmb - ok

21:48:08.0734 7532 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

21:48:08.0734 7532 Msfs - ok

21:48:08.0875 7532 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

21:48:08.0875 7532 MSKSSRV - ok

21:48:09.0046 7532 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

21:48:09.0046 7532 MSPCLOCK - ok

21:48:09.0250 7532 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

21:48:09.0250 7532 MSPQM - ok

21:48:09.0390 7532 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

21:48:09.0390 7532 mssmbios - ok

21:48:09.0562 7532 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

21:48:09.0562 7532 MSTEE - ok

21:48:09.0718 7532 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

21:48:09.0718 7532 Mup - ok

21:48:09.0921 7532 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

21:48:09.0921 7532 NABTSFEC - ok

21:48:10.0093 7532 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

21:48:10.0093 7532 NDIS - ok

21:48:10.0296 7532 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

21:48:10.0296 7532 NdisIP - ok

21:48:10.0437 7532 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

21:48:10.0437 7532 NdisTapi - ok

21:48:10.0609 7532 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

21:48:10.0609 7532 Ndisuio - ok

21:48:10.0765 7532 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

21:48:10.0781 7532 NdisWan - ok

21:48:10.0953 7532 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

21:48:10.0953 7532 NDProxy - ok

21:48:11.0281 7532 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

21:48:11.0281 7532 NetBIOS - ok

21:48:11.0437 7532 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

21:48:11.0453 7532 NetBT - ok

21:48:11.0609 7532 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys

21:48:11.0609 7532 NPF - ok

21:48:11.0765 7532 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

21:48:11.0765 7532 Npfs - ok

21:48:12.0031 7532 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

21:48:12.0078 7532 Ntfs - ok

21:48:12.0484 7532 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

21:48:12.0484 7532 Null - ok

21:48:12.0953 7532 nv (8c0456001b6900114bbb1c548bd8aaf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

21:48:13.0250 7532 nv - ok

21:48:13.0437 7532 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

21:48:13.0453 7532 NwlnkFlt - ok

21:48:13.0640 7532 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

21:48:13.0640 7532 NwlnkFwd - ok

21:48:13.0781 7532 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys

21:48:13.0781 7532 omci - ok

21:48:13.0953 7532 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

21:48:13.0968 7532 ossrv - ok

21:48:14.0171 7532 P16X (f051107ff80f132882e71e3a5d302ec1) C:\WINDOWS\system32\drivers\P16X.sys

21:48:14.0250 7532 P16X - ok

21:48:14.0406 7532 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

21:48:14.0406 7532 P3 - ok

21:48:14.0500 7532 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

21:48:14.0515 7532 Parport - ok

21:48:14.0687 7532 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

21:48:14.0687 7532 PartMgr - ok

21:48:14.0812 7532 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

21:48:14.0812 7532 ParVdm - ok

21:48:15.0203 7532 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

21:48:15.0203 7532 PCI - ok

21:48:15.0281 7532 PCIDump - ok

21:48:15.0406 7532 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

21:48:15.0406 7532 PCIIde - ok

21:48:15.0593 7532 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

21:48:15.0609 7532 Pcmcia - ok

21:48:15.0734 7532 PDCOMP - ok

21:48:15.0875 7532 PDFRAME - ok

21:48:16.0062 7532 PDRELI - ok

21:48:16.0187 7532 PDRFRAME - ok

21:48:16.0375 7532 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

21:48:16.0375 7532 perc2 - ok

21:48:16.0531 7532 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

21:48:16.0531 7532 perc2hib - ok

21:48:16.0671 7532 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys

21:48:16.0671 7532 PfModNT - ok

21:48:16.0828 7532 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

21:48:16.0828 7532 PptpMiniport - ok

21:48:17.0031 7532 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

21:48:17.0031 7532 Processor - ok

21:48:17.0140 7532 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

21:48:17.0140 7532 PSched - ok

21:48:17.0296 7532 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

21:48:17.0312 7532 Ptilink - ok

21:48:17.0421 7532 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

21:48:17.0421 7532 PxHelp20 - ok

21:48:17.0593 7532 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

21:48:17.0609 7532 ql1080 - ok

21:48:17.0781 7532 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

21:48:17.0796 7532 Ql10wnt - ok

21:48:17.0968 7532 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

21:48:18.0015 7532 ql12160 - ok

21:48:18.0140 7532 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

21:48:18.0140 7532 ql1240 - ok

21:48:18.0312 7532 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

21:48:18.0312 7532 ql1280 - ok

21:48:18.0421 7532 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

21:48:18.0421 7532 RasAcd - ok

21:48:18.0593 7532 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

21:48:18.0593 7532 Rasl2tp - ok

21:48:18.0750 7532 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

21:48:18.0750 7532 RasPppoe - ok

21:48:18.0937 7532 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

21:48:18.0937 7532 Raspti - ok

21:48:19.0156 7532 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

21:48:19.0156 7532 Rdbss - ok

21:48:19.0281 7532 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

21:48:19.0281 7532 RDPCDD - ok

21:48:19.0468 7532 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

21:48:19.0468 7532 rdpdr - ok

21:48:19.0625 7532 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

21:48:19.0625 7532 RDPWD - ok

21:48:19.0812 7532 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

21:48:19.0812 7532 redbook - ok

21:48:19.0921 7532 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

21:48:19.0921 7532 RimVSerPort - ok

21:48:20.0125 7532 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

21:48:20.0125 7532 ROOTMODEM - ok

21:48:20.0281 7532 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys

21:48:20.0281 7532 RT25USBAP - ok

21:48:20.0375 7532 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

21:48:20.0375 7532 SASDIFSV - ok

21:48:20.0484 7532 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

21:48:20.0484 7532 SASENUM - ok

21:48:20.0609 7532 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

21:48:20.0609 7532 SASKUTIL - ok

21:48:20.0796 7532 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

21:48:20.0796 7532 Secdrv - ok

21:48:20.0921 7532 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys

21:48:20.0921 7532 Ser2pl - ok

21:48:21.0062 7532 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

21:48:21.0078 7532 serenum - ok

21:48:21.0250 7532 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

21:48:21.0250 7532 Serial - ok

21:48:21.0437 7532 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

21:48:21.0437 7532 Sfloppy - ok

21:48:21.0515 7532 Simbad - ok

21:48:21.0640 7532 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

21:48:21.0640 7532 sisagp - ok

21:48:21.0812 7532 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

21:48:21.0812 7532 SLIP - ok

21:48:21.0968 7532 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys

21:48:22.0031 7532 smwdm - ok

21:48:22.0187 7532 Soluto (ff35c2d01ac36b446a1b997f305f0fc2) C:\WINDOWS\system32\DRIVERS\Soluto.sys

21:48:22.0203 7532 Soluto - ok

21:48:22.0328 7532 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

21:48:22.0328 7532 Sparrow - ok

21:48:22.0468 7532 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

21:48:22.0468 7532 splitter - ok

21:48:22.0656 7532 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

21:48:22.0656 7532 sr - ok

21:48:22.0781 7532 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

21:48:22.0796 7532 Srv - ok

21:48:23.0109 7532 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

21:48:23.0109 7532 streamip - ok

21:48:23.0250 7532 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

21:48:23.0265 7532 swenum - ok

21:48:23.0437 7532 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

21:48:23.0437 7532 swmidi - ok

21:48:23.0578 7532 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

21:48:23.0593 7532 symc810 - ok

21:48:23.0781 7532 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

21:48:23.0781 7532 symc8xx - ok

21:48:23.0921 7532 SymIM - ok

21:48:24.0078 7532 SymIMMP - ok

21:48:24.0203 7532 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

21:48:24.0203 7532 sym_hi - ok

21:48:24.0390 7532 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

21:48:24.0390 7532 sym_u3 - ok

21:48:24.0500 7532 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

21:48:24.0500 7532 sysaudio - ok

21:48:24.0703 7532 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

21:48:24.0718 7532 Tcpip - ok

21:48:24.0921 7532 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

21:48:24.0921 7532 TDPIPE - ok

21:48:25.0125 7532 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

21:48:25.0140 7532 TDTCP - ok

21:48:25.0328 7532 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

21:48:25.0328 7532 TermDD - ok

21:48:25.0421 7532 TfFsMon - ok

21:48:25.0500 7532 TfNetMon - ok

21:48:25.0578 7532 TfSysMon - ok

21:48:25.0671 7532 tmcomm - ok

21:48:25.0796 7532 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

21:48:25.0796 7532 TosIde - ok

21:48:26.0046 7532 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

21:48:26.0046 7532 Udfs - ok

21:48:26.0234 7532 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

21:48:26.0234 7532 ultra - ok

21:48:26.0421 7532 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

21:48:26.0437 7532 Update - ok

21:48:26.0625 7532 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

21:48:26.0625 7532 USBAAPL - ok

21:48:26.0750 7532 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

21:48:26.0750 7532 usbaudio - ok

21:48:26.0906 7532 usbbus - ok

21:48:27.0140 7532 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

21:48:27.0140 7532 usbccgp - ok

21:48:27.0296 7532 UsbDiag - ok

21:48:27.0390 7532 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

21:48:27.0390 7532 usbehci - ok

21:48:27.0546 7532 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

21:48:27.0546 7532 usbhub - ok

21:48:27.0687 7532 USBModem - ok

21:48:27.0828 7532 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

21:48:27.0828 7532 usbprint - ok

21:48:27.0921 7532 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

21:48:27.0921 7532 usbscan - ok

21:48:28.0078 7532 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

21:48:28.0078 7532 USBSTOR - ok

21:48:28.0171 7532 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

21:48:28.0171 7532 usbuhci - ok

21:48:28.0265 7532 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

21:48:28.0281 7532 usbvideo - ok

21:48:28.0484 7532 VComm (9ebee4a060c5364a31aeaa04eac2af1e) C:\WINDOWS\system32\DRIVERS\VComm.sys

21:48:28.0484 7532 VComm - ok

21:48:28.0640 7532 VcommMgr (630bbdbf5490f8f57abe650da63661a0) C:\WINDOWS\system32\Drivers\VcommMgr.sys

21:48:28.0656 7532 VcommMgr - ok

21:48:28.0765 7532 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

21:48:28.0765 7532 VgaSave - ok

21:48:28.0937 7532 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

21:48:28.0937 7532 viaagp - ok

21:48:29.0125 7532 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

21:48:29.0125 7532 ViaIde - ok

21:48:29.0265 7532 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

21:48:29.0265 7532 VolSnap - ok

21:48:29.0437 7532 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

21:48:29.0437 7532 Wanarp - ok

21:48:29.0593 7532 wanatw - ok

21:48:29.0703 7532 WDICA - ok

21:48:29.0875 7532 Wdm1 (2f4b3c0e58d4a7bd8e38d1cd9ca47691) C:\WINDOWS\system32\Drivers\usbbc.sys

21:48:29.0875 7532 Wdm1 - ok

21:48:30.0046 7532 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

21:48:30.0046 7532 wdmaud - ok

21:48:30.0281 7532 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

21:48:30.0281 7532 WpdUsb - ok

21:48:30.0437 7532 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

21:48:30.0437 7532 WS2IFSL - ok

21:48:30.0578 7532 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

21:48:30.0578 7532 WSTCODEC - ok

21:48:30.0734 7532 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

21:48:30.0734 7532 WudfPf - ok

21:48:30.0906 7532 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys

21:48:30.0906 7532 WUDFRd - ok

21:48:31.0015 7532 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

21:48:31.0218 7532 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

21:48:31.0218 7532 \Device\Harddisk0\DR0 - detected TDSS File System (1)

21:48:31.0281 7532 Boot (0x1200) (ccd4687bd299343156d62555bdc30d00) \Device\Harddisk0\DR0\Partition0

21:48:31.0281 7532 \Device\Harddisk0\DR0\Partition0 - ok

21:48:31.0281 7532 ============================================================

21:48:31.0281 7532 Scan finished

21:48:31.0281 7532 ============================================================

21:48:31.0296 6460 Detected object count: 2

21:48:31.0296 6460 Actual detected object count: 2

21:49:36.0750 6460 C:\WINDOWS\system32\DRIVERS\ipsec.sys - copied to quarantine

21:49:36.0765 6460 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\ipsec.sys) error 1813

21:49:39.0328 6460 Backup copy found, using it..

21:49:39.0343 6460 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot

21:49:50.0593 6460 IPSec ( Virus.Win32.ZAccess.c ) - User select action: Cure

21:49:50.0593 6460 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

21:49:50.0593 6460 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

21:49:55.0203 4784 Deinitialize success



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 07:07 PM

well, that file is where it is supposed to be,

let's look and see what the image path for the keyboard is

Please export the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass


Go to Start > Run > copy and paste the following command into the run box > OK:

regedit /a "%userprofile%\desktop\output.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass"


A new file called output.txt should appear on your Desktop, please post the contents with your next response.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 07:35 PM

ok Here it is:



REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass]

"ErrorControl"=dword:00000001

"Group"="Keyboard Class"

"Start"=dword:00000001

"Tag"=dword:00000001

"Type"=dword:00000001

"DisplayName"="Keyboard Class Driver"

"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6b,62,64,\

63,6c,61,73,73,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters]

"ConnectMultiplePorts"=dword:00000000

"KeyboardDataQueueSize"=dword:00000064

"KeyboardDeviceBaseName"="KeyboardClass"

"MaximumPortsServiced"=dword:00000003

"SendOutputToAllPorts"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Enum]

"0"="Root\\RDP_KBD\\0000"

"Count"=dword:00000002

"NextInstance"=dword:00000002

"1"="ACPI\\PNP0303\\4&1506bb2e&0"

 



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:30 PM

Posted 12 February 2012 - 07:55 PM

well, the image path is pointing to the correct location as well, I'm not finding why the keyboard won't run?

Let's see if the file actually exists,I'm just assuming it does, then we'll see if it's infected

we'll use system look again

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
*kbdclass*

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 lchageman

lchageman
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:30 PM

Posted 12 February 2012 - 10:04 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 22:01 on 12/02/2012 by Christine Hageman
Administrator - Elevation successful


========== filefind ==========

Searching for "*kbdclass*"
C:\cmdcons\KBDCLASS.SY_ --a---- 12223 bytes [03:58 04/08/2004] [03:58 04/08/2004] 9C0B5DF5E22E6F17A8D40CDFCDACACD8
C:\I386\KBDCLASS.SYS --a--c- 23424 bytes [01:35 05/01/2004] [07:27 29/08/2002] 1E7F78C2FC393356CD884C6FDE7966F9
C:\WINDOWS\$NtServicePackUninstall$\kbdclass.sys -----c- 24576 bytes [14:35 20/08/2008] [05:58 04/08/2004] EBDEE8A2EE5393890A1ACEE971C4C246
C:\WINDOWS\erdnt\cache\kbdclass.sys --a---- 24576 bytes [19:48 31/01/2010] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys ------- 24576 bytes [05:58 04/08/2004] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128
C:\WINDOWS\SYSTEM32\DRIVERS\kbdclass.sys --a---- 24576 bytes [07:27 29/08/2002] [18:39 13/04/2008] 463C1EC80CD17420A542B7F36A36F128


-= EOF =-








0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users